CyberheistNews Vol 13 #38 No Dice for MGM Vegas As It Battles Ransomware Attack Downtime

Cyberheist News

CyberheistNews Vol 13 #38  |   September 19th, 2023

No Dice for MGM Vegas As It Battles Ransomware Attack DowntimeStu Sjouwerman SACP

52 million dollars in lost revenues and counting, a cyber-attack on MGM Resorts International, a 14B Las Vegas gaming empire with Hollywood-famous hotel spreads like the Bellagio, Cosmopolitan, Excalibur, Luxor, and the MGM Grand itself, had the house brought down by a perfect example of vishing…a 10-minute phone call.

Gamblers could not gamble. Guests could not access rooms. Lights went out. The attack led to hours of delays in guest check-ins and affected electronic payments, key cards, thousands of slot machines, ATMs, parking, and other systems.

A malware research group called VX-Underground claimed that the RaaS group "ALPHV" (a.k.a. BlackCat, a ransomware-as-a-service) was responsible for the attack. An earlier Reuters story on 9/13 initially reported "Scattered Spider" (a group of kids operating in the U.S. and UK), as the perpetrator.

What happened? Social engineering happened.

A member of the criminal group used the identity of an MGM employee found easily on LinkedIn, called the MGM help desk and asked for a password change. The IT person working on the help desk happily complied, and the hacker went into business, leaving no chips on the table.

ALPHV has a history of targeting other entities like Reddit and Western Digital. While MGM and the FBI have not provided details about the breach, cybersecurity experts consider VX-Underground, the group that claimed ALPHV did the deed, a reliable source.

The financial implications for MGM will be significant. Its Las Vegas Strip properties generate over $13 million per day in revenue from hotel rooms and casinos alone. The rating agency Moody's warned the breach could negatively impact MGM's credit rating.

While MGM has not yet publicly acknowledged receiving a ransom demand, they are collaborating with the FBI and cybersecurity experts to investigate the breach and restore affected systems.

Paying ransoms to cyber attackers as Caesars' did recently does not guarantee recovery of encrypted data, The FBI advises against making such payments to extortionists for fear of encouraging further attacks.

The most effective approach to safeguarding organizations against ransomware attacks? A long list of best practices that entails implementing security measures like phishing-resistant MFA, data encryption, and frequent employee security awareness training with monthly phishing security tests.

By prioritizing these measures, organizations can enhance their resilience against ransomware attacks and avoid potential business interruption, loss of reputation and customer confidence, and millions in damages.

Blog post with links:

[RELATED TOPIC with more background:] MGM Suffers Ransomware Attack that Started with a Simple Helpdesk Call:

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of a new feature in the KnowBe4 PhishER platform!

Harness the power of reported messages from over 10 million trained users worldwide with the PhishER Plus Global Blocklist feature. This feature prevents future malicious emails, sharing the same sender, URL, or attachment, from reaching other users. These are real-world phishing threats, thoroughly vetted by both human intelligence and AI.

The result? Your Microsoft 365 email filters get a significant boost, all from within the PhishER console.

Join us for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • New! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • New! Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Find out how adding PhishER can be a huge time-saver for your Incident Response team while ensuring your users are safe!

Date/Time: TOMORROW, Wednesday, September 20 @ 2:00 PM (ET)

Save My Spot!

Microsoft Teams Phishing Campaign Distributes DarkGate Malware

Researchers at Truesec are tracking a phishing campaign that's distributing the DarkGate Loader malware via external Microsoft Teams messages.

"On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign," the researchers write. "The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely."

The phishing messages purported to come from the HR department regarding employee vacation schedule changes. Recipients were asked to open an attached ZIP file to see if their vacation plans had been canceled.

The messages stated, "Dear Colleagues, I regretfully have to inform you about unplanned changes in the vacation schedule due to unforeseen circumstances. As a result of a force majeure situation that we had to take into account, we have had to cancel the vacations of certain employees. I understand that such changes might impact your plans, and I apologize for any inconvenience this may cause."

Truesec notes that the attacks were thwarted because the targeted employees realized the messages were suspicious.

"This attack was detected due to the security awareness training of the recipients," the researchers write. "Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack. Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator."

New-school security awareness training can give your organization a critical layer of defense by teaching your employees to recognize social engineering attacks.

Blog post with links:

Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...

Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.

KnowBe4's Mailserver Security Assessment (MSA) is a complementary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:

  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!

Phishing Scammers Are Using AI to Create Perfect Emails

Phishing attacks have always been detected through broken English, but now generative artificial intelligence (AI) tools are eliminating all those red flags. OpenAI ChatGPT, for instance, can fix spelling mistakes, odd grammar, and other errors that are common in phishing emails.

This advancement in AI technology has made it easier for even amateur hackers to analyze vast amounts of publicly available data about their targets and create highly personalized and convincing emails within seconds. These emails can be tailored to mimic the writing style of the target's loved ones or friends, making them difficult to distinguish from legitimate communication.

Abnormal Security, an email security company, observed phishing attacks using generative AI platforms. These emails are perfectly crafted and look legitimate, making them tricky to detect at first glance. The power of generative AI lies in its ability to scrape the web for personal information about a person and use it to tailor tempting emails.

While ChatGPT and similar models have built-in protections against creating malicious content, many open-source large language models lack safeguards. Hackers can license models capable of generating malware and sell them on darknet forums.

The future of AI-powered attacks is a growing concern for cybersecurity experts. AI technology has been used to create deepfakes and simulate speech, making hybrid attacks involving email, voice, and video an approaching reality. The true threat lies in AI's potential to conceive new attack methods that current systems are unable to detect.

To stay ahead of the game, some cybersecurity companies are using proprietary large language models to generate phishing emails for security awareness training. Defensive AI systems will be crucial in combating AI-powered attacks, but the challenge lies in AI's ability to generate convincing attacks at scale.

As the world becomes increasingly reliant on generative AI, corporate security practices must adapt. Improving employee training and awareness on phishing is essential, and networks should be carefully segregated to mitigate potential damage caused by hackers.

Generative AI has undoubtedly transformed the phishing scene, but it has also compelled cybersecurity companies to integrate AI into their defense strategies. The battle against AI-powered attacks will persist as organizations strive to keep up with the evolving threat.

Blog post with links:

[NEW WHITEPAPER] 9 Cognitive Biases Hackers Exploit the Most

Hackers have become increasingly savvy at launching specialized attacks that target your users by tapping into their fears, hopes, and biases to get access to their data.

Cybersecurity is not just a technological challenge, but increasingly a social and behavioral one. People, no matter their tech savviness, are often duped by social engineering scams like CEO fraud, because of their familiarity and immediacy factors.

Bad actors know how to tap into specific mental patterns we all have called cognitive biases to trick users into compromising sensitive information or systems.

In this whitepaper, explore how a better understanding of how hackers are duping users can help you identify potential cognitive biases, deliver training that actually changes behaviors, and cut down on security incidents.

Read this whitepaper to learn:

  • How hackers get users to click by understanding how they tick
  • Examples of specific cognitive biases hackers use the most through social engineering
  • How new-school security awareness training and real-time security coaching can be used to nudge users toward more secure behavior

Download this whitepaper today!

Can Someone Guess My Password From the Wi-Fi Signal On My Phone?

Cybercriminals can't ascertain your phone password just from a Wi-Fi signal, but they can come close according to a method described in a recent research paper. Researchers have demonstrated a method that uses Wi-Fi signals to infer numerical passwords, and the mechanics behind it are nothing short of intriguing.

Side-channel attacks often remind me of James Bond-like espionage. So does a research paper that is to appear at ACM CCS later this year. The attack leverages something called Beamforming Information (BFI), which are essentially navigation instructions that guide your phone in sending data to an access point.

These instructions are updated periodically to account for the phone moving or obstacles appearing. Here is the kicker: when you type on your phone's screen, it directly affects the Wi-Fi antenna located behind the screen. It is the way you hold your phone. As a result, the BFI signal contains enough information that depends on your way of holding the phone and typing to capture your keystrokes.

[CONTINUED at the KnowBe4 blog:]

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] How to Transform Security Awareness Into Security Culture:

PPS: Mark Cuban's MetaMask wallet drained nearly $900,000 in suspected phishing attack:

Quotes of the Week  
"Leave every place better than you found it."
- Attributed to Robert Baden-Powell (1857 - 1941)

"The greatest threat to our planet is the belief that someone else will save it."
- Robert Swan (1956 - )

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Hacker Deepfakes Employee's Voice in Phone Call to Breach IT Company

Last month, Retool, a business software development company, fell victim to a sophisticated cyberattack that compromised 27 of its cloud customers.

The attack was a toxic cocktail of social engineering, AI deepfake technology, and a vulnerability in Google's Authenticator app.

The attacker initiated the breach by sending phishing SMS messages to Retool employees, posing as an IT team member addressing a payroll issue. While most employees ignored the message, one clicked on the URL, leading them to a fake login portal with multi-factor authentication (MFA).

Here's where it gets eerie: the hacker then called the employee using an AI-generated deepfake of a familiar voice from the IT team. Despite growing suspicion, the employee gave away an additional MFA code. This suggests the attacker had prior knowledge of the company, possibly indicating an earlier infiltration.

Once the MFA code was surrendered, the hacker gained access to the employee's GSuite account. This was particularly damaging because Google Authenticator's new cloud-syncing feature allowed the attacker to view MFA codes on multiple devices. Retool emphasized that this Google feature was a significant vulnerability, as compromising a Google account now also exposes all synced MFA codes.

Retool has since revoked the hacker's access and is sharing its experience to alert other companies. The incident underscores the evolving threats in cybersecurity, highlighting the need for a strong security culture and updated security procedures. Retool also urged Google to reconsider the cloud-syncing feature in its Authenticator app.

Deepfakes on the Rise: How to Fortify Your Cyber Defenses Now

The United States FBI, NSA, and CISA have released a joint report outlining the various social engineering threats posed by deepfakes.

"Threats from synthetic media, such as deepfakes, present a growing challenge for all users of modern technology and communications, including National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators," the report says.

[CONTINUED] at the KnowBe4 blog with links:

The Nigerian Prince Scam Gets an AI Update

Criminals have begun using generative AI tools like ChatGPT to refine the venerable Nigerian prince scam, according to researchers at Abnormal Security.

"Abnormal recently uncovered more than a thousand attacks targeting orgs using at least 70 unique email addresses," the researchers write. "While it feels that these are old news, we can surmise that these attacks are still being sent because they work—people continue to fall for them at a rapid enough pace that they are still worth the effort put into them."

While Nigerian prince scams have long been associated with typos and grammatical errors, generative AI tools allow criminals to craft convincing phishing emails that could fool even discerning users.

Additionally, while the core of the scam has remained the same, many criminals have shifted their focus to target businesses rather than individuals.

"These attacks rely on common social engineering tactics like urgency and human decency, preying on the empathy of the recipient and their willingness to help in an emergency," Abnormal says. "And they're not simply sent to personal email addresses anymore. These attacks were all sent to business email addresses at organizations and appear to be entirely industry agnostic, targeting higher education, retail, healthcare, law firms, and more."

Notably, around half of the attacks observed by Abnormal referred to business deals. "Whereas the traditional Nigerian Prince schemes spoke only of personal gain, some of these newer versions are related to business transactions, including one from The Ministry of Defence of Ukraine," the researchers write.

"This attack asks the recipient to deposit $50M in exchange for 10% of the money, in a '100% risk free' business transaction. This is an evolution of the traditional 419 scam, now referencing business transactions rather than personal ones."

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for these types of scams.

Abnormal Security has the story:

What KnowBe4 Customers Say

"Good afternoon, Mr. Sjouwerman, this week is my last week with my current job and my CSM said you would love to hear from me. KB4 is far and away the best platform I have used for testing and training. Please continue adding enhancements and bolstering your offering. It is amazing.

As far as my experience with my CSM, Jessica has been nothing short of perfection. It is nice having a CSM who you know you can rely on and reach out to with questions and get a prompt response. She should be commended and promoted, in my opinion. One of the best I have worked with across all of technology."

- J.A., CSAP, SSCP, CNSP, CNVP Infosec Officer

The 10 Interesting News Items This Week
  1. AI Models Under Attack: Protecting Your Business From AI Cyberthreats:

  2. How to Prevent Risky Cybersecurity Behaviors Creeping into Your Organization:

  3. UK National Cyber Security Centre: Ransomware, extortion and the cybercrime ecosystem:

  4. Russian cyber diplomat warns against US escalation in cyberspace. SCROLL DOWN:

  5. ChatGPT Jailbreaking Forums Proliferate in Dark Web Communities:

  6. CISA offers free security scans for public water utilities:

  7. Apple and Google Are Introducing New Ways to Defeat Cell Site Simulators, But Is it Enough?:

  8. Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475:

  9. "MrTonyScam" — Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts:

  10. macOS Info-Stealer Malware 'MetaStealer' Targeting Businesses:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews